NSA, Metadata, and Congress

David Cole in the New York Review of Books has a new article, "We Kill People for Metadata" on the mistaken notion that the NSA's collection of metadata in its pursuit of terrorists is no big deal because it does not collect the content of communications, only details about them. First he quotes NSA counsel Stewart Baker:

“Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”

He then quotes General Michael Hayden, former director of the NSA and the CIA:

“We kill people based on metadata.”

[More...}

When the NSA collects phone records, it gets much more than the numbers dialed. If the devil is in the details, then metadata is the devil. (See my posts here and here.) Metadata can provide the Government with much more information about you than content. It tells a lot about your life. Even Congress, which has had no trouble passing and extending the Patriot Act, has become troubled enough by the NSA which has now admitted that it collects data on every call made by everyone in the country, to start pushing for passage of a bill to restrict the NSA.(The USA Freedom Act.) As Cole says, it's a first step, but there is much more to be done to protect our privacy, and it would be a mistake to just pass this bill and put the issue on the shelf.

Cole explains the NSA process of collecting records that are "hops" removed: The NSA collects the phone records of someone it suspects of being connected to terrorist activity. It looks through the phone records, and then checks the phone records of everyone that person was in contact with. That's the "first hop." And then, it examines the records of the "first hop" and gets the records of everyone he or she communicated with. So the NSA is now getting records of persons "two hops removed" from the person it suspected had terrorist ties. And that's how Americans who have absolutely no connection to terrorism, and have not engaged in any wrongdoing, end up in the NSA's vast databases. As Cole writes:

The fact that you may have called someone (say, your aunt) who in turn called someone (say, the Pizza Hut delivery guy) who was in turn once called by a suspected terrorist says nothing about whether you’ve engaged in wrongdoing. But it will land you in the NSA’s database of suspected terrorist contacts.

Cole then goes into the USA Freedom Act and writes:

The USA Freedom Act would prevent the NSA from continuing to collect phone records on everyone for no reason. And phone records would be retained by the phone companies, rather than the NSA, requiring the NSA to make a request to the phone companies for a specific record. And after reviewing the specific record, it can still ask the Court to approve record requests for those who are one and two "hops" away.

....[T]he court could order phone companies to produce phone calling records of all numbers that communicated with the suspect number (the first “hop”), as well as all numbers with which those numbers in turn communicated (the second “hop”).
More protection is needed:

Through these authorized searches the NSA would still be able to collect large amounts of metadata on persons whose only “sin” was that they called or were called by someone who called or was called by a suspected terrorist or foreign agent. At a minimum, “back-end” limits on how the NSA searches its storehouse of phone numbers are still needed.

It does not address, for example, the NSA’s guerilla-like tactics of inserting vulnerabilities into computer software and drivers, to be exploited later to surreptitiously intercept private communications. It also focuses exclusively on reining in the NSA’s direct spying on Americans. As Snowden’s disclosures have shown, the NSA collects far more private information on foreigners—including the content as well as the metadata of e-mails, online chats, social media, and phone calls—than on US citizens.

Cole brings up two NSA programs exposed by Edward Snowden: PRISM and MYSTIC. NSA uses PRISM to collect "both content and metadata from e-mail, Internet, and phone communications by millions of users worldwide." With MYSTIC, the NSA has created the ability to record every single phone call in a foreign country. The Washington Post outlined the program here.

The National Security Agency has built a surveillance system capable of recording “100 percent” of a foreign country’s telephone calls, enabling the agency to rewind and review conversations as long as a month after they take place, according to people with direct knowledge of the effort and documents supplied by former contractor Edward Snowden.

The results, Cole writes, is that the NSA is collecting, "again by the millions and billions, foreign nationals’ e-mail contact lists, cell phone location data, and texts. This is the very definition of dragnet surveillance."

Cole notes that Congress isn't too inclined to care about the rights of foreigners. But it's not just foreigners.

In the Internet era, it is increasingly common that everyone’s communications cross national boundaries. That makes all of us vulnerable, for when the government collects data in bulk from people it believes are foreign nationals, it is almost certain to sweep up lots of communications in which Americans are involved.

As initially proposed, the USA Freedom Act contained a fix for this (known as "the back door.") But that's already been stripped from the bill:

The initial version of the USA Freedom Act accordingly sought to limit the NSA’s ability to conduct so-called “back door” searches of content collected from foreigners for communications with Americans citizens. But that provision was stripped in committee, leaving the back door wide open.

The NSA isn't the only agency collecting vast amounts of phone records "hops" away from each other. The DEA does it too, through their Special Operations Division and vast databases like DICE. The DEA uses the information in criminal cases and civil forfeitures. The DEA can obtain phone records, with metadata with a mere subpoena. Pro Publica has this article on how the Government gets records with just a subpoena. Also see this EFF article on how the DEA uses it in drug cases. No court order is required and there is no judicial oversight, even when the phones are "hops away" from anyone suspected of illegal activity. Without any contact between the person under investigation and the person two hops removed, they might claim the records are evidence the person two hops removed is involved in the same criminal activity as the person whose records they initially sought. According to Reuters, there are over 1 billion records in the DEA's DICE database, most of which are compilations of phone log data.

The OIG is examining the DEA’s use of administrative subpoenas to obtain broad collections of data or information. The review will address the legal authority for the acquisition or use of these data collections; the existence and effectiveness of any policies and procedural safeguards established with respect to the collection, use, and retention of the data; the creation, dissemination, and usefulness of any products generated from the data; and the use of “parallel construction” or other techniques to protect the confidentiality of these programs.

There is no evidence this vast collection of phone records and metadata has made us safer. It does, however, promise to make us less free. As Cole says, it's never going to be possible to eliminate all risk:

If we want to preserve the liberties that define us as a democratic society, we have to learn to live with risk. It is the insistence on preemptively eliminating all terrorist threats—an unattainable goal—that led the NSA to collect so much information so expansively in the first place.

Cole's article ends with this thought about the USA Freedom Act:

If the Senate can pass or even strengthen the USA Freedom Act, as Senator Leahy has said he intends to do, it will be a significant achievement for civil liberties. But the biggest mistake any of us could make would be to conclude that this bill solves the problem.

Most civil liberties groups support the bill despite the stripping down of its protections.

I have no doubt that the compromise required to get any bill passed by Congress is going to result in a watered-down bill. It always does. Our elected officials will pat-themselves on the back, and crow to America that they are safe-guarding our civil liberties. At some point, one has to ask, is a watered-down bill better than no bill? When the watered-down version passes, Congress will move on to other matters. It could be years before it turns its attention back to the civil liberties problems engendered by the NSA program.

I think the bill should be supported as being better than no bill, but the public should know this is a compromise, and it's nothing to crow home about.

It is startling to realize that we gave up our freedoms so easily.
A rapid agenda-driven White House, combined with a hysterical, unthinking opposition party, armed with media that would do Goebbels proud, undid in an instant qualities and protections that had provided a beacon of hope and courage to the world.

As to the last question posed by Jeralyn:

"At some point, one has to ask, is a watered-down bill better than no bill? "

my inclination is to say that "no bill" would be better than a watered-down bill that gives only the illusion of reform - unless we had some sense that we had political leadership that would continue the fight daily and vocally - from the halls of Congress and the bully pulpit of the White House.

warp speed technological advances, new forms of ideological/military adversaries, and, a financial inequality that, left unchecked, will lead to social chaos.

Having said that, new methods, and, different perspectives will have to be implemented.

Of course, that is predicated on the notion that our Leadership is up to the task, and, that our citizens have trust and faith in their motives.

What we've witnessed over the past several decades indicates that none of those requirements have been met. The threat to our country and way of life does not come from Al Qaida, it comes from Washington DC. And, just like there can be no winner in a nuclear war, it seems that our leaders have decided that we must destroy our country in order to save it.

...it seems that our leaders have decided that we must destroy our country in order to save it.

is something I have thought about.

If a foreign power would have taken over and voided some of our most cherished constitutional guarantees, we would be in the same boat we are now, but we might see how we got there a little clearer than we do now.

what is in the bill. The people that it would apply to don't care, and if they disobey the law a. we won't know and b. they will not be prosecuted. It is just like the financial industry regulations. I am sorry to say I really fail to see the point.

there are with the collection of so much data, but I think it's hard to fix something when only a select few seem to be completely read in to what's being done. And we, the people, know even less than that.

So, how can we even judge whether the proposed legislation "works?" It feels like a variation of pin-the-tail-on-the-donkey to me, and it will be sheer luck if this legislation gets it right. Especially because I think the people behind these programs, the ones running them, don't really want to "fix" them - they want to continue to be able to operate without being hamstrung in any way.

So, it's hard for me to trust them, or trust their motives. It's as if we're all blindfolded, able to see little more than slivers of light around the edges, and having to trust that we aren't being manipulated to turn this way or that and eventually walked over the edge of the cliff.

I don't know how we can even answer the question of whether this bill is better than no bill at all, because we simply don't have enough information - and we aren't going to be getting it anytime soon.